Vlan trunking - Checkpoint to Cisco

I am attempting to connect a checkpoint VPN-1 edge x16 to a Cisco 2950 via a VLAN trunk. I have defined the various VLANs on the firewall and set the DMZ/WAN2 port to be a VLAN trunk. This port is connected to the Cisco 2950 port fa0/1, this port is also defined as a trunk with a native VLAN of 1. Both the checkpoint firewall and the Cisco show that the trunking type is 802.1Q and also show link from both ends.

From a port based unmanaged switch I can establish ICMP (ping) connectivity with all VLAN addresses defined on the checkpoint firewall. I have a Solaris 10 system connected to the Cisco to a port defined on VLAN 1 (management VLAN) and can access the command line and http interfaces. What I cannot do is access any interface on the checkpoint firewall from the Cisco switch.

One of the items I have noticed is that when the Solaris system, or a system on the unmanaged switch attempts to pink the Cisco or ping to the Solaris system I get an error entry in the event log Here is an entry from attempting to pink the firewall interface from the Solaris server "00171 Apr 02 08:44:19 PM  ICMP192.168.11.2 [SPOOFED!] (Echo Request)"   Here is the error when I attempt to ping the Soalris system from a system on the unmanaged switch: "00169 Apr 02 08:43:30 PM ICMP192.168.10.9 (Conundrum) (Charon) 8 (Echo Request)"

I have routes defined for all VLANs defined on the checkpoint firewall.

I need to be able to connect to the firewall to eventually access other VLANs and the outside world.

Any help is appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Could you clarify some details please ...

Firewall interface is yet the log entry shows destination as Typo?
How is the unmanaged switch connected? A system source address of indicates a different VLAN on the switch (and is this carried by the trunk?) or interface on the Firewall.

The "SPOOFED" indication in the log means that is unexpected on whichever interface it has appeared on. Is the 192.168.11.X address of firewall configured on the interface for untagged traffic?
jvosslerAuthor Commented:

Sorry for the typo.

Port 1 of the checkpoint firewall is set up as a port based VLAN and is connected to an unmanaged switch. This port and switch connect all the VLAN 10 systems (192.168.10.x). All of these systems are functioning correctly withing themselves and to the outside world. From systems on this VLAN I can ping all the VLANs defined on the firewall. The firewall interaces are all 192.168.X.1 where X represents the VLAN number. All of these networks are set up with a class C netmask.

The VLAN trunk is connected from the checkpoint DMZ port that has been configured as a VLAN trunk. Port fa0/1 on the Cisco has also been configured as an 802.1Q VLAN trunk. The management interface of the Cisco is and the Solaris server connected to the Cisco is The port that the Solaris system is connected to is defined as VLAN 1, thus I can access the command line and http interfaces. The port statistics on the Cisco show that while there are sent packets on the VLAN trunk port there are no received packets. It appears as if the checkpoint device is not communicating.

Also when I attempt to ping from the 192.168.10.x network to either the Solaris system or the ping fails. Traceroute output indicates that the packets are attempting to go out to the internet through the ISP. This feels like a rules/routing issue but it does not explain why the Solaris system cannot ping the checkpoint device.

Let me know if you need any more information.

The pings are failing because the firewall believes the traffic from is being spoofed.

Check that the interface configured for VLAN 1 has its topology configured to include the network, or has the network been configured for VLAN 11?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jvosslerAuthor Commented:

I have also been working with checkpoint support and they have to check with someone in Isreal (???) to see if the edge device will support both port based VLANs along with tagged VLANs. They suspect that if the firewall is using trunking on the DMZ port that none of the other switch ports can be used at all. Attempting to set one or more of them to a port based VLAN results in indeterminant routing issues and errors caused by missing VLAN tags in the packet headers. network is reserved by the firewall OS for high availabilty applications so my network is called VLAN1.

I will port what comes from checkpoint tomorrow.

jvosslerAuthor Commented:

The answer was to upgrade the firmware on the firewall. I was running the release that was loaded on the unit when we received it Sep 2005. This was release 5.0.46, the current version is 6.0.57. After performing the upgrade the device functioned as expected.

Thank  you for your assistance and dilligence.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.